Forum Discussion
Solved
How do I hide/encrypt connection strings or API keys in my web parts?
I am making API calls in my web parts to get information from other apps within our company (not hosted in SharePoint). I am storing the API keys and connection strings (urls) to these APIs in a set...
- For APIs, they should be secured with Azure AD and requests should be authenticated in order to reach the API, so should not be a problem if the API URL is discovered by users as they would still need to authenticate.
Regarding API keys for services that may not support authentication, I would recommend creating a simple API to handle all the user requests. Like above, API would be secured by Azure AD and receive only authenticated requests from users. The keys to the last API could be secured with KeyVault and retrieved by your API when needed, so all handled on the backend and never exposed in the browser
Hope this helps
For APIs, they should be secured with Azure AD and requests should be authenticated in order to reach the API, so should not be a problem if the API URL is discovered by users as they would still need to authenticate.
Regarding API keys for services that may not support authentication, I would recommend creating a simple API to handle all the user requests. Like above, API would be secured by Azure AD and receive only authenticated requests from users. The keys to the last API could be secured with KeyVault and retrieved by your API when needed, so all handled on the backend and never exposed in the browser
Hope this helps
Regarding API keys for services that may not support authentication, I would recommend creating a simple API to handle all the user requests. Like above, API would be secured by Azure AD and receive only authenticated requests from users. The keys to the last API could be secured with KeyVault and retrieved by your API when needed, so all handled on the backend and never exposed in the browser
Hope this helps
Joel Rodrigues Thanks for your response. I figured using the AadHttpClient was the way to go after doing some research. Do you know if it's possible to use the same app registration in Azure for multiple versions of the same API call? For example, I have DEV/QA/PROD versions of an API and they all use a different URL for the endpoint. For example, the QA one has "qa" at the beginning of the URL.
From what I've researched, when I create an app registration I have to use the endpoint URL (like qa.website.com/api) as the Application ID URI. If that's the case does that mean I have to create an app registration for DEV, QA, and PROD?